gr EPARTMENT OF HEALTH 6L HUMAN SERVICES OFFICE OF THE SECRETARY Volco- mm (BOG) sewing 0mm {in Civil ngms, Region ix" TDD A (415) "Hal i, (800) 53%1697 9i 7" sci-m. Sum 43775325 Sun 96103 WNW Ms M/ncrl luly31,2014 Tami Maneson Kelli Director of HIMS/Prlvacy 01Ech an-Lhcm lnyo Hospital 150 Piuncer Lane Blshup, CA 93514 Re: OCR Transaction Number; 13--166584 Dear Ms. Manesnn and Ms, Huntsinger: (7n 1L 20] ll": US. nl'l Office For Civil Rights (OCR) mum a Filed by imii Mullclimi (Comple mm). The alleged violulinlls of ill: S'Iludfifils l'ul Pl'iw Health llirormaiion and/ox ll": Sccurily for lliu l'mlmliim Ur uclrorllc llcalih llil'ormalinn (45 C. R. vim 100mm 104, A C. Mid the Privacy ilml m'iy Rulux) by lliyn Holipiml [he cum 'pwlficall)', me (,'nmiilainiinl llral Cherie La uc, l-l NIH Medical Records Clerk. ihly obwincd pa medical mum! viewed elcutrimic record or consent. 0L this cumplain! as a poicmial viululinn 45 CJKIL ?5 164.502, inc use and slandm'd nt'llic PriVilcy Rule, and the siil'eguai a blundafll omie Privacy Rule, Privile mill Stein'in Rules. mui alsu enforces Federal civil righis laws which in ilm delivery ul' human services because ofrace, colon migui iigc, and certain circumslanccs, sex, and religion. The Privacy and Security Rules apply to entities, which include only: (ii) a clearinghouse; a health plan; or a healLl-lcine provider which any in electronic form in connection with almrisilcllurl {or which Hi has standards, In a. lullcl' dialed 20M, OCR "hull! (his complaint. Kelli llunlsingcr. Privacy Offich response 1| lciil dillml 20M. iliul, illtul' ll thorough iil'ilic mailer, Nil! dc llmi llic Mclliuui Rec Clerk had cleall'unlr; record and 1m: 'Wl llie mph-r record willimii awol'k--rclalcd purpose. provided 1| copy mi 5 lug, wllicli smiles that. on August 2013, when llri: NIH Rut-mil: was in the process or OCR Transaction Number; 13466584 July 3 l, 2014 reorganizing patient records, 3 N18 employee discovered that the Medical Records Clerk possessed a copy of the Complainant?s record at he}: workstation, without an apparent work related purpose. Due to the known reletionehip status between the Medical Records Clerk and the Complainant, an immediate departmental inquiry was conducted. On August 7, 2013, when the Medical Records Clerk retumed to work, she motioned that she possessed the record for her use. dey, 'Nl'lel tetzi?ieved ell doetone-ote c-ome.ieziog the Complainant?s protected lite-eltla item the medical Records; Clerk?s In addition, NIH "temtioeted the Medical Rewrite Cleg?lt. from her employment pursuant to sometime policy, .ltet loser was disabled and her access to all NIH medical records was temineted. NIH then conducted a system audit and discovered that the Medical Records Clerk had impermissibly viewed Complainant?s medical record on multiple occasions ?om August 5, 2010 to April 5, 2013, without authorization or consent, On eugust 9, 2013, NW noti?ed the Complelmmt end the Celltomie lit-eoez?tmeot of Pull-lit; Health of its ?ndings. On August M, 2131.3, Me, sent a tecilityawide email reminder stating that, if an employee accesses; or diselosee protected health Without a pettieot?s wetter: authorization or without a workeeleted p1: woe-e, the employee will be found it; violeti?oo of sanctions policy and will be subject to disciplinary action. The email also warned employees that access to protected health infomation is monitored and subject to random and regular audits. On August 28, 2013, Ms. H-untsioget eeot moth-er emeil deseril?tittg proactive e'ocl reeotive audits, The emol expleioed tltet audits: will be performed each owed]. with the totem of? Sampling Nif'lifs date set to look for ooe'e?ible .loepproptfiigte use or activity, The email eleo eteted that reactive audits: will. he petilomaed whenever de?ated event triggers the need for an audit, such as patient or employee complaint, On December 18, 2013, NIH approved two new policies, ?Seoctioee for Breech. -o;l?fl??etieot l?t?i vacy? and ?Auditing of Employee Accees to .li?azztieot Infonotation,? each. e'l'lzectirvo on. January 1, 2014. lo addition, required ell to e-ooitpl-ete training on the new policee. NIH provided OCR with the following documents: Minimum Access, Use, and Disclosure of Protected Health Information Policy Date: 7/17/2013); Comuniceting Protected Health .lnfonnetioo Via. lfilleo'tmnzie Mail Policy ('l?jlfteetive Date: 1! 0.11 6f201'l (3) Doing. aged Diegloeilng Protected l-tl'eel'th lofoornalt-ion for .l?eymeet, eed I?ll-geld} {Zero Opera-allotte- Policy (liftect?ve Dole?: 7/2013); (4) Privacy Screen illoliey ("Effective Date: I (5) Audi-ting olf'litnployee Access to Patient (Effective .ILJete-z l! 1/2014); (t3) lzogf'oonetioo Security end Date Jolie-grim Policy (lift?eo't'ive Date: 3/1252013); Sweden for "Breech ol?Petle-iot Privacy Policy (Elite-olive Date: 1! U20 1. (8) copy of tee-ere training certl?cetioe for NIH. e. copy of the letters; notifying the Complement; end the Cell-tome; of Poltlie Heeljth fizodioge, dated Aogoet' 9, 3013; end i] 'le-e copy of the Miedemetmot Complaint tiled egefinet the Medic-id Records Clerk: in le?yo CountySuperior ?oor-t ofCelii?otole, dated January 13, 2014. {3:1 telemetry 21, Zitll fl, the Cameo}elegant testi?ed OCR th he was concerned that he; fooner lt-oeloeod, Mammoth. Hospital. employee, eetl the Medical Records Clerk?s mother, e. NIH RN, were gitwolved to the 1e use and disclosure of he:. medical tree-owe. The eleo explained that the Medical Records Clerk?s actions have OCR Transaction Number: 13466584 July 31, 2014 impacted her wellbeiog, as Well as her ability to receive local healthcare, as she will not seek care at NIH or Mammoth Hospital in the future. OCR imediately contacted Ms. Hootsioger about the Complainant?s concerns. Ms. Huntsiriger told OCR that the Complainant had also infomed NIH of these concerns. Ms. Hooisioger stated that she supplied the Complainant with the contact information of Mammoth Heepital?s Privacy Of?ce, aa the Complainant?s former husband works at that hospital, and has cover worked for NIH. On February 24, 2014, per request, Ms. I-Iontsinger ioterviewed In the interview, ori?oned that she never accessed the Complainant?s medical record. She also stated that, at the time of the complaint incidents, she was unaware that her daughter was accessing and obtaining the Complainant?s records. On March 3, 2014, Ms. Hootsiriger noti?ed OCR that, in addition to the safeguards NIH already has it: place, NIH has instituted a. new policy that prevents unattended NIH employees from going to Nil-1?s offsite facility to retrieve records. Under the new policy, each employee must enter their request for an offsiie record into a log and is accompanied by an overseeing employee to retrieve the record. On March 5, 2014, OCR provided NIH with technical assistance regarding reporting breaches that affect less than 500 individuals to the Secretary, pursuant to 45 CPR. 164.4086?. OCR also provided technical assistance on the requirements foe ooti?dog affected individuals, as stated at 45 GER. NIH con?rmed that it planned to report the breach to the Secretary m?thio one calendar year of its discovery of the breach. Io addition, NIH revised its Mitten policy for responding to potential breaches. NIH provided OCR with a copy of its new ?Investigation and Reporting of Unlawful Access, Use or Disclosure of Protected Health Infomation? policy (Effective 3/20f2014), and provided proof of employee training. The policy contains HIPAA breach noti?cation and reporting requirements, as well as procedures for investigating and assessing potential breaches. Role Under the Privacy Rule, a covered entity, such. as NIH, may not use or disclose protected health information except as permitted by the Role.} In general, a covered entity moat obtain a valid authorization from the individual to disclose protected health information for purposes other than treaiment, payment, or health care operations.2 Here, it is undisputed that the Medical Records Clerk impeoniaeibly possessed, used, and. disclosed the Complainant?s protected health information in violation of the Privacy Rule. Following discovery of the complaint incident, it noti?ed the Complainant of the breach, and terminated the Medical Records Cleric from her employment pursuant to its sanctions policy. As described above, NIH has policies regarding the use and disclosure of protected health information. In addition, in reapoose to the complaint incident, NIH created its new ?Sanctions for Breach of Patient Privacy,? ?Auditing of Employee Access to Patient Infometion,? and ?Investigation and Reporting of Uniew?il Access, Use or .?isclosore of Protected Health policies and retrained its workforce accordingly. See 45 QER. maternal). 2 See 45 cm. a OCR Transaction Number: 13466584 July 31, 2014 A. cmere-denliiy inn-at alae have in plane appropri-z-ne pro-eedo'rnl, a.d._nii.i.eiatradve. and technical safegaards 1e Elie pzri'vaey health info-z?nnriicm agzziinal i-sfnpenniaeible uses and diaeloanrea by lilewea?er, the liriaaey Rule doe-a net require a. partienlar method for handling patient protected health infomalion. Therefere, a ce'vered entity must review its own circumstances to determine what steps are reasonable to safeguard protected health infomation and develop and implement policies and procedures to carry out those steps. In this case, NIH has HIPAA policies regarding appropriate safeguards, and has taken the cenective actions outlined above in response to the complaint incident. All issues raised by the complaint, at the time it was ?led, have heen resolved through NlI?l?a voluntary compliance. Therefore, OCR is closing the complaint. determination as stated in this letter applies only to the allegations in this complaint that were reviewed by OCR. Under the Freedom of lnfermatien Act, we may be required to release this letter and other infermation about this: case upon request by the public. In the event OCR receives such a request, we will make every effort, as permitted by law, to protect information that identifies individuals or. that, if released, could constitute a clearly unwarranted invasion of personal privacy. . OCR Investigator, at (41.5) 43??8318. When contacting this of?ce, please remember to include the reference; amber that we have given year ?le. 'l?hat number is located in the upper le?whand eemer of this letter. If 5?03 haw 3113? Questions regarding this matter, Please Sincerely, 5:5 . Michael Lem: Regional Manager 3 See 45 can.